Archive
Highlighted

String concatentation (strcat command) is duplicating results

Motivator

Hi,

I have this data

Properties: {   [-] 
         analyticsConfigs:  {   [+] 
        }   
         appVersion:     9.0.0  
         buildTarget:    blah   
         category:   Event  
         networkStatus: {   [-] 
         NT:     3  
        }   
         osName:     iOS    
         platformData:  {   [-] 
         BL:     1  
         BP:     87 
         FF:     1  
         HC:     Apple  
         HM:     iPhone7,2  
         HS:     3oiH88BN7fhGnT45o4s3NVO2rhbUBkTU8J74xBdGuJUMYytJqZQg9c1R_hIObb5wc1CKyNDXepajsVXA   
         LL:     en 
         LO:     US 
         OJ:     10.3.3 
         OS:     1  
         SA:     49953583104    
         ST:     63989493760    
         SU:     14035910656    
         UI:     17812487-32B5-4544-93F8-A3031EB2B0A6   
        }   
    }   
     analyticType:   SessionStart   
     buildTarget:    blah   
     clientSessionId:    DXFOS-CARQDTE  

and this query

index=wholesale_app buildTarget=blah analyticType=SessionStart   |rename Properties.osName as os Properties.platformData.OJ as osversion|where osversion!="null"|strcat os " " osversion oo|stats count by oo

the query "works" but it appears that strcat is duplicating values because the results look like this

Android Android 6.0.1 6.0.1
Android Android 7.0 7.0
Android Android 7.1.1 7.1.1 
Android Android 8.0.0 8.0.0
iOS iOS 10.2.1 10.2.1

etc

Am I doing something I should'nt???

0 Karma
Highlighted

Re: String concatentation (strcat command) is duplicating results

SplunkTrust
SplunkTrust

Run this and see if you still see duplicate values .

 index=wholesale_app buildTarget=blah analyticType=SessionStart      |rename Properties.osName as os Properties.platformData.OJ as osversion|where osversion!="null" | table os osversion

If you do, it seems there are multiple field extraction being setup (may be you used INDEXEDEXTRACTION and KVMODE to json in props.conf of both indexer/search head).

Highlighted

Re: String concatentation (strcat command) is duplicating results

Motivator

I also "fixed" (well that is generous.... I kinda hacked at it) the problem by doing this

index=wholesale_app buildTarget=blah analyticType=SessionStart   |rename Properties.osName as os Properties.platformData.OJ as osversion|where osversion!="null"|strcat os " " osversion oo|rex field=oo "(Android|iOS)\s(?<ooo>\w+\s[^\s]+)"|stats count by ooo
0 Karma
Highlighted

Re: String concatentation (strcat command) is duplicating results

SplunkTrust
SplunkTrust

Works. Another method:

index=wholesale_app buildTarget=blah analyticType=SessionStart      |rename Properties.osName as os Properties.platformData.OJ as osversion|where osversion!="null" | eval os=mvdedup(os) | eval osversion=mvdedup(osversion) |strcat os " " osversion oo|stats count by ooo

You can also use mvindex(<<FIELDNAME>>,-1) instead of mvdedup.

0 Karma
Highlighted

Re: String concatentation (strcat command) is duplicating results

Motivator

yep there are dups

os osversion
iOS
iOS
11.1.2
11.1.2
iOS
iOS
11.1.1
11.1.1
Android
Android
7.0
7.0
Android
Android
7.0
7.0
iOS
iOS
11.1.1
11.1.1
Android
Android
7.0
7.0
Android
Android
7.0
7.0

I'll get with support as they setup the extraction.... Thank you!!!

View solution in original post

0 Karma